Identity theft has
become a hot topic in today's society, with television commercials
oversimplifying and trivializing the threat by focusing on the
potential financial consequences. Identity theft is a more
seri­ous threat than someone draining a grandmother's bank
account. False or fraudulent documents could help terrorists enter
the United States and establish themselves in preparation for an
attack on the coun­try. Since this country relies primarily on
identity-based security systems, secure identity documents are
critical to national security.

Taking advantage of the
available technologies could help to minimize the inherent
weaknesses in an identity-based security system. To secure
docu­ments from fraud, policymakers need to examine carefully
the available technologies, reviewing their capabilities,
requirements, infrastructure demands, and costs. They should also
consider how these technologies could affect individual privacy and
fundamental liberties. Finally, policymakers should work in
conjunction with the private sector and other stakeholders to
create a compendium of best practices that uphold the principles of
federalism while ensuring a successful strategy for identity
security.

Types of Identity
Documents and Their Uses

"Identity document"
refers to a wide variety of doc­uments-from birth certificates
to credit cards-that are used for many purposes. Because of this
variety, it is important to distinguish between base identity
documents, also known as breeder documents, and secondary identity
documents.

For instance, an
acceptable national base iden­tity document is a birth
certificate. Internation­ally, a passport is typically
considered a base identity document. Secondary identity
docu­ments (e.g., driver's licenses, credit cards,
immi­gration visas, and green cards) are obtained by showing
proof of the base identity documents. Base identity documents can
also be used to obtain access to specific data or secure locations
at the workplace.

Types of Document
Fraud

With so many types of
identity documents, there inevitably are many ways to perpetrate
fraud. Successfully replicating or emulating a base docu­ment
increases the likelihood of obtaining legiti­mate secondary
documents-or, rather, secondary documents that appear legitimate
even though they are based on the false base documents. It is also
possible to obtain legitimate secondary docu­ments without base
documents. Securing an iden­tity document is a vital first step
for a terrorist or anyone else who wants to enter the United States
illegally.

Tactics for entering
the United States using illicit documents include traveling on
fake, sto­len, or forged passports; hiding past travel by
acquiring a new passport by claiming that the old passport was
lost, stolen, or damaged; and travel­ing under "legitimate"
passports that have been purchased blank and filled in with false
personal data. Terrorists have also used legitimate means to enter
the United States, including entering as students, requesting
political asylum, and avoid­ing immigration inspection upon
entrance.[1] These
tactics highlight the need for security pro­fessionals to be
able to validate identity docu­ments, not just generally to be
on the lookout for fraudulent papers.

The Problem

Behind every type of
identity document should be a person. In this country, proof of a
person's legal existence is often required for transactions and for
access to places and things. From obtaining pass­ports and
visas to protecting critical infrastructure, security systems must
be in place to ensure that the person requesting access to a
location or informa­tion is actually the person indicated by
that person's identity document. Currently, security officers have
very limited means of validating documents and verifying that they
are based upon legitimate breeder documents.

For example, the 9/11
hijackers used identity documents to enter United States repeatedly
on non-immigrant visas. While these men could and should have been
stopped for many reasons, their use of student and visitor visas
was not one of those reasons. In fact, many known terrorists who
have lived in or have been extradited from the United States
entered legally and had legitimate green cards. In other words,
they claimed immigrant sta­tus and were on the "path to
citizenship."[2]

Another potential
weakness in relying on identity documents is the personnel who
issue the docu­ments. Are the guards and other personnel
responsi­ble for identity documents and access doing their jobs
effectively and faithfully, or are they scoping out weaknesses in
the system? For instance, in May 2004, workers at department of
motor vehicles (DMV) centers in northern Virginia were selling
driver's licenses on the side to people who were in the country
illegally. Despite legislation that tight­ened loopholes, two
more workers from the same DMV centers were arrested and convicted
a year later.[3] In
addition to the nation's border, access to and protection of
critical infrastructure also rely to a great extent on
identity-based systems.

Current ID Validating
Technologies

Basing a security
system on identity documents is a convenient but flawed method of
providing security. However, a wide range of available
tech­nologies could improve the ability of security
sys­tems based on identity documents to discriminate and verify
identities accurately. Marking and radio frequency identification
(RFID) tagging are two main types of such technology.

Better use of the
technology holds promise for improving identity document standards
and for hin­dering, if not preventing, criminals and terrorists
from using identity documents for nefarious pur­poses.
Policymakers should carefully examine the technologies available
for securing identity informa­tion, including their
capabilities, requirements, infra­structure demands, costs, and
how they would affect individual privacy and fundamental
liberties.

Marking.Marking something
as a signal of authenticity has been used for thousands of years.
The Romans used unbroken wax seals imprinted with the ruler's
insignia to verify that messages and orders had not been revealed
or tampered with. Although still used on the occasional wedding
invi­tation, this ancient technology is not fit for today's
security challenges. However, two types of advanced marking-digital
and metal-could be used to apply a security layer to identity
documents, thereby linking different layers of security or
information to the document to verify its authenticity.[4]

Digital marking
involves storing information as an image. This could be a Social
Security number or biometric information like a facial image or
finger­prints. The digital mark consists of a layer in the card
and is only machine-readable (i.e., invisible to the naked eye).
Bar codes, laser engraving, microprint­ing, and watermarking
are all types of digital mark­ing. Cards with digital
watermarks are designed to limit the validity of the ID and thus
adapt to chang­ing information requirements.

Digital watermarking
has been used widely in the media industry to prevent piracy and on
the Internet to secure Web sites and personal computers from
hackers. The concept behind all digital watermark­ing
technology is the same: A machine "reader" reads the watermark and
checks the information against a database, such as terrorist watch
lists.

Holograms are metal
devices implanted in iden­tification cards to allow a machine
or a human eye to authenticate the document. Holograms do not
connect automatically to other information or data­bases. The
metal hologram is durable and can be adapted to new technologies or
demands. The con­cept behind markings such as holograms is to
pro­vide an eye-readable or machine-readable marking that will
prove effective and durable.

Because holograms can
be read by the human eye, their use does not require that expensive
equipment be provided to every local, state, and federal law
enforcement officer. Instead, the holo­gram can be instantly
authenticated, whether at the local DMV by a small machine or on a
rural road by the human eye. This is particularly important to
small communities that may not be able to afford machines for every
field officer. A hologram can last up to 10 years, which keeps down
upgrade costs, unlike many other technology solutions. Hologram
technology is also reasonably mature.

RFID
Tagging.Already popular for
retail store security systems, an RFID tag has the capability to
"talk" to its homing device, up to two meters away. For example, if
someone tries to shoplift from the local mall, the tag in the item
sets off alarms when the shoplifter carries it through the security
point. The homing device that controls settings for the
identification tag can be mobile or fixed. A tag can store and
relay only minimal information. The amount and types of information
stored depend on the type of encryption, the tag's memory, and the
format of the stored information.

Research into RFID
technology began in the United States in the early 1940s as a means
by which to track allied and enemy planes. By the 1970s, the
technol­ogy was used to track nuclear materials.[5] Today,
RFID technology has spread throughout the public and pri­vate
sectors. Due to its versatility, people are now starting to use it
in identity documents as well.

The technology behind
RFID consists of a chip embedded in a tag and an antenna that
transmits information from the chip to a reader that is hooked up
to a database. Three types of tags exist: passive, semi-passive,
and active. A passive tag does not contain a power source (e.g., a
battery) and must be activated by another source. A semi-passive
tag does not actively transmit, but it can store information. An
active tag contains an indi­vidual power source, and its data
can be updated or reconfigured throughout its lifecycle.[6]

A wide variety of
information in various forms may be stored on the chip. Financial
institutions are using RFID technology to fight credit card fraud.
The RFID technology is being developed to enable personal credit
cards to be authenticated more accu­rately through read-once
codes rather than the stan­dard code that stays with the card
for its lifecycle. This changing code, transmitted mere inches from
the machine "reader," could reduce the risk of con­sumer credit
card fraud.

A similar system could
be used to secure base identity documents or even secondary
identity doc­uments. Information, ranging from biometrics to
tracking data on entries into and exits from the country, could be
stored on the chip. Most uses in government and the private sector
continue to cen­ter around tracking physical materials,
although the Department of State is considering using the
tech­nology in electronic passports and the Department of the
Treasury is reviewing its use for access control and records
management.[7] The
Department of Homeland Security (DHS) also plans to use it for the
automated US-VISIT program, which tracks visitors' entries into and
exits from the United States.[8]

Although a relatively
mature technology, RFID tags have been adopted only in
approximately the past decade. The use of RFID technology continues
to grow. The commercial sector and government agencies are working
together to set standards and guidelines for more secure IDs, which
are man­dated by Homeland Security Presidential Directive 12[9] and the
Intelligence Reform and Terrorism Pre­vention Act of
2004.

The central challenge
for policymakers who wish to use RFID technology remains privacy.
Most policy research in this area focuses on consumers and what
happens to the information stored on the RFID chip once items have
been purchased. Using RFID tech­nology to authenticate identity
documents raises con­cerns about the data collected by the tag,
what data it stores, and how it stores the data. The Privacy Act of
1974, which addresses the "retrieval of personal infor­mation"
rather than its subsequent use, may provide guidance on how RFID
technology can be used.[10]

Current
Legislation

In recent years,
Congress has noted the need for secure identity documents. The
Intelligence Reform and Terrorism Prevention Act of 2004 called on
the DHS and the State Department to integrate travel documents with
other intelligence for fighting ter­rorism and to support DHS
and State Department field offices with appropriate technology.[11] In
2005, Congress took measures to strengthen national secu­rity
by using identity cards. An amendment in the 2005 appropriations
bill authorizes the Department of Homeland Security to set federal
standards for all state driver's licenses. It does not require that
states add more information to driver's licenses, but it does set
stricter security standards for the identity docu­ment-security
standards that reach beyond the physical document
itself.

Privacy
Concerns.Privacy is a prominent
con­cern in the discussion of how best to secure identity
documents. Are the data stored on one large data­base or just
on the ID itself? Generating IDs might be more difficult if the
information is stored only on the electronic ID. The processes for
gathering and authenticating the information remain, but resources
would be able to focus on gathering and authenticating rather than
physically protecting a large infrastructure system. In addition,
abuse of personally identifiable information by individuals
involved in ID fraud or by the government, even with the best
intentions of securing the informa­tion, is a serious
concern.

Congress should give
serious thought to how the government can assist in safeguarding
information from wrongdoers while maintaining government access to
information needed to carry out legiti­mate law enforcement,
capture terrorists and pre­vent terrorism, and combat other
threats to national security.

Much of the public
debate about information sharing and analysis uses the word
"privacy" in a manner that is imprecise and misleading. For
exam­ple, many of the most vocal privacy advocates assert that
any time government obtains or uses informa­tion that someone
would prefer not to disclose to the government constitutes a
violation of the person's constitutional "right to privacy."
However, the Supreme Court has flatly rejected this claim that the
Fourth Amendment can "be translated into a general constitutional
'right to privacy.'"[12]

Congress's efforts to
regulate private information should be understood in constitutional
context. Congress has been struggling with creating a legal
framework that protects personal information while allowing the
data to be used for security pur­poses. One such attempt is the
proposed Data Accountability and Trust Act (H.R. 4127).
Intro­duced in October 2005, the bill calls on the Federal
Trade Commission to "protect consumers by requiring reasonable
security policies and proce­dures to protect computerized data
containing per­sonal information and to provide for nationwide
notice in the event of a security breach." Implemen­tation of
such legislation should be crafted to address privacy and security
concerns adequately.

The federal government
is not alone in its quest for good security policy that balances
privacy con­cerns. Many states from California to New York are
debating legislation in their legislatures to mit­igate privacy
infringements unwittingly created by federal policies.[13]

Share

Policymakers need to examine available technologies, reviewingtheir capabilities, requirements, infrastructure demands, andcosts; consider how these technologies could affect individualprivacy and fundamental liberties; and work with the private sectorand other stakeholders to create a compendium of best practicesthat uphold the principles of federalism while ensuring asuccessful strategy for identity security.

Rep. Peter Roskam (R-IL) says it's "a great way to start the day for any conservative who wants to get America back on track."

Sign up to start your free subscription today!

Sorry! Your form had errors:

About The Heritage Foundation

The Heritage Foundation is the nation’s most broadly supported public policy research institute, with hundreds of thousands of individual, foundation and corporate donors. Heritage, founded in February 1973, has a staff of 275 and an annual expense budget of $82.4 million.

Our mission is to formulate and promote conservative public policies based on the principles of free enterprise, limited government, individual freedom, traditional American values, and a strong national defense. Read More